The present invention relates to preventive computer software security, and more particularly, prevention of memory corruption vulnerability exploitation.
Memory corruption attacks against software written e.g. in C or C++ are still prevalent and remain a significant cause of security breaches. Defenses providing full memory safety remain expensive, and leaner defenses only addressing control-flow data are insufficient.
Most prominent published exploits (e.g., through competitions or various vulnerability reward programs) in the last few years rely on memory corruption vulnerabilities to achieve remote code execution, sandbox escape, privilege escalation, or leakage of sensitive data. The increasing difficulty of crafting such exploits is in part due to mitigations that were developed in the last two decades. This includes advanced defense mechanisms that were pioneered by the research community, such as Control Flow Integrity (CFI).
Many mitigation approaches focus on providing control-flow integrity, i.e. the protection of code and code pointers. CFI approaches often assume a very powerful attacker, capable of arbitrary memory reads and writes, albeit with a comparatively restrictive goal: modification of control flow. However, vulnerabilities such as Heartbleed demonstrate that even attackers with (restricted) out-of-bound read capability can already achieve their goals (such as leaking sensitive cryptographic material). In essence, control-flow data is in general not the only data that a program needs to protect to fulfill its security goals. At the same time, approaches that aim to provide full memory safety currently incur prohibitively high overhead.